Avast analysts have unexpectedly GhostDNS exploit kit source codes turned out to be. The experts got access to the source thanks to an error from an unknown hacker.
GhostDNS is a set of exploits for routers that uses CSRF queries to change DNS settings and then redirect users to phishing pages (where victims are stolen credentials from various sites and services).
Researchers say that an unknown hacker uploaded an unprotected password-protected KL DNS.rar archive into an unnamed file exchange, containing a malware and several phishing pages. But at the same time, the attackers seemed to forget that Avast antivirus was installed on his machine with the active Web Shield component that protects against malicious web content. As a result, the file with the malware was analyzed by the Avast solution, and the researchers got access to the source.
“We downloaded the linked file and found the full source code for the GhostDNS exploit kit,” experts say.
As Malvari’s analysis showed, the exploit kit used two methods to attack routers: Router EK and BRUT. Both methods used CSRF queries to change the DNS settings. So, Router EK is intended for attacks from the local network and requires that the user clicks on a malicious link. Whereas BRUT is a scanner that searches the Internet for insecure routers and attacks them (in this case, user interaction is not required).
Researchers found in the archive a list of prefixes for IP addresses in 69 countries of the world that the malware had to scan. For each prefix, 65,536 addresses were checked. Most of the target countries were in South America (mainly Brazil was interested in the malware (but also the USA, Australia and Germany were in its area of interest.
To access the device and override the DNS settings, the new version of GhostDNS used bruteforce for a small dictionary containing a list of 22 default credentials. At the same time, older versions of the malvari had a list of 84 credentials.
After gaining access to the device, the malware changed the DNS settings so that they pointed to the attacker's servers. To do this, a “hacked" version includes a hacked version of SimpleDNS Plus.
In turn, RouterEK attacks victims through malicious advertising. If the user clicks on such a malicious ad, the search for the internal IP address of the router begins. In this case, a smaller set of credentials is used than in the case of BRUT. Avast analysts found a list of just eight usernames and passwords, all of which are most commonly found in Brazil.
If the credentials from the router are successfully selected, GhostDNS proceeds to the phase of displaying phishing pages. In the KL DNS.rar archive, there were several templates of such fakes that imitated the sites of the largest banks in Brazil and Netflix.